Anomaly Detection in Linux Kernels: A Framework for SSH Intrusion Prevention
摘要
Secure Shell (SSH) is a popular target of unauthorized access and intrusion in Linux systems because of commonly used in critical infrastructure. Current intrusion detection systems are not capable of detecting real-time intrusion or having kernel visibility, which reduces their effectiveness. The work gives the possibility to introduce a kernel-integrated anomaly detection scheme to SSH intrusion protection based on eBPF and observe the entire system call in real-time via AuditD. It utilizes a hybrid model including Hidden Markov Models (HMM) together with Isolation Forest, which identifies behavior abnormalities in SSH sessions. The system was tested on the ADFA-LD system atom, UNM system call collections, and proprietary honeypot logs. The overall detection accuracy and F1-score of said approach were 96.4%, recall was 97.8%, and detection latency was on average 22.4 ms, with relatively low resource consumption: CPU overhead: 2.3%, RAM: 38.5 MB. Automatic countermeasures, including quarantine sessions and dropping IPs, were inserted. The findings indicate a very effective and dynamic solution to the SSH anomaly detection functionality on Linux kernel systems.